Go ahead and hack that car in peace.
In a move greeted happily by cybersecurity researchers around the world, the electric-automobile company Tesla announced that hacking the company’s software as part of “good-faith security research” will not void your warranty. The announcement is part of a “goodwill” revamping of Tesla’s vulnerability disclosure program to allow research without risking legal action, a voided warranty or a broken car — as long as hackers play by the rules.
— Tesla (@Tesla) September 5, 2018
“Tesla values the work done by security researchers in improving the security of our products and service offerings,” the company’s vulnerability disclosure page reads. “We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.”
Casey Ellis, founder of bug bounty company BugCrowd, called the move “a massive step forward in taking the risk out of #vulnerabilitydisclosure and #bugbounty by @tesla, and maximizing the benefit of a safer internet … i sincerely hope this becomes the status quo.”
Tesla’s disclosure program will allow researchers who stay within the guidelines to have official assistance from the company including “reflashing” the car’s software in the event that hacking causes technical issues requiring a fix.
It’s an important stance from a highly visible company because the work of security researchers has historically put hackers in the cross hairs of big companies, which typically dislike seeing people mess with their products — even if it’s in pursuit of greater security.
In March, Dropbox overhauled its own vulnerability disclosure policy in a move aimed to clarify its relationship with cybersecurity researchers after “decades of abuse, threats, and bullying” by companies.
“We’ve done this because we’d like to see others take a similar approach,” Dropbox Head of Security Chris Evans wrote in March. “We value the open security research community and have taken steps to protect researchers. We expect any company which has security as a priority will do the same.”
Within the last year, journalists and security researchers have been on the receiving end of multiple lawsuits over the public disclosure of technical flaws in commercial software. Keeper Security sued Ars Technica journalist Dan Goodin about an article that described flaws in Keeper’s password manager, a lawsuit that was dismissed in April.
Amit Elazari, a bug bounty expert and University of California Berkeley doctoral candidate, previously praised Tesla’s attitude on the issue. Elazari is credited with lobbying Dropbox on its stance as well.
Thanks @elonmusk @Tesla for picking up this suggestion and adopting a legal safe harbor for researchers in your bug bounty: this helps friendly hackers to help all of us #legalbugbounty https://t.co/7ZhxrlhR9g
— Amit Elazari (@AmitElazari) August 12, 2018